information commissioner's office - home | ico · wycliffe house - ico headquarters this...

Ian Falconer Partner T: 0161 953 6480 E: [email protected]

Will Simpson Senior Manager T: 0161 953 6486 E: [email protected]

Paul Eckersley IT Manager T: 0113 2002525 E: [email protected]

James Renwick IT Executive T: 0113 200 2599 E: [email protected]

Information Commissioner's Office

Internal Audit 2011-12: Business Continuity Review Last updated 6 February 2012

Distribution Timetable

For action Simon Entwisle, Director of

Operations

David Wells, Head of IT

Fieldwork completed 21 September 2011

Draft report issued 18 October 2011

For information Christopher Graham,

Information Commissioner

Management comments 17 November 2011

/ 2 February 2012

Final report issued 6 February 2012

Sections

1 Executive Summary 1

2 Detailed Findings 4

Appendices

A Internal audit approach 14

B Definition of internal audit ratings 16

C Business continuity planning process based on accepted best practice 17

D Business continuity planning cycle based on accepted best practice 18

Glossary

The following terms are used in this report:

ICO - Information Commissioner's Office BCP - Business Continuity Plan Capita - ICO's outsourced IT supplier DR - Disaster Recovery EMT - Executive Management Team GSI - Government Secure Intranet MCA - Mission Critical Activity (as defined by ICO) SLA - Service Level Agreement Sunguard - Disaster Recovery facility in Warrington, available for

four weeks in the event of a disaster

Wycliffe House - ICO Headquarters

This report is confidential and is intended for use by the Management Board and Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying on this report does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, however such loss or damage is caused. It is the responsibility solely of ICO's management to ensure that there are adequate arrangements in place in relation to risk management, governance and control.

Contents

Information Commissioner's Office Internal Audit Business Continuity Review

©2012 Grant Thornton UK LLP. All rights reserved.

1. Executive summary 2. Detailed Findings Appendices

1

1.1 Background

In accordance with our agreed internal audit plan, we undertook an improvement review of the Information Commissioner's Office's (ICO's) Business Continuity plans and processes.

There have been a number of significant operational changes at the ICO in recent years, including the move to a single site in Wilmslow, an increase in home working and the development of new business activities such as the audit function and the press office. A Business Continuity Plan exists and was tested in April 2011. Following the test, the Plan was revised and will be formally approved by executive management once this audit is complete.

This review will further inform our on-going understanding of ICO's governance and risk management activities.

1.2 Scope

Our role as internal auditor is to provide objective and independent assurance to the Audit Committee and management that business continuity arrangements are in place and are fit for purpose.

The objectives of the review were to:

• Provide assurance to management that the current business continuity processes and impact analysis adequately reflect the organisation's longer term requirements, particularly in light of the extensive changes in the last 12 months;

• Evaluate the current approach to the development of the plan; • Establish whether the recent business changes affect the impact analysis

• Assist management in developing a road map to address any gaps, and to include any lessons learnt from the recent tests, to further develop the revised business continuity plan.

Further details on responsibilities, approach and scope are included in Appendix A.

1 Executive Summary




2

1.3 Internal Audit conclusion

While there is a business continuity process in place supported by documented plans, further significant improvements are needed in a number of important areas for those plans to be considered fully fit for purpose. The development of a BCP is an iterative process, typically following the ten stages summarised at Appendix D. The ICO's current status at each stage is shown diagrammatically below:

Management requested this improvement review to provide an independent view on whether or not the revised business continuity plan awaiting its approval was sufficient for its future business needs. As we conclude that further improvements are needed, it is premature to offer a formal audit opinion at this stage, but we propose to do so later in the year, after the deadlines for any agreed actions arising from our report.

Appendix B defines the opinion and recommendation ratings.

1.4 Key findings

The findings within this report have been organised in accordance with the phases of developing a BCP (see also Appendix C).

Business Continuity Phases High Medium Low Improve't

1 - Initiation - - - -

2 - Risk analysis - 1 -

3 - Business impact analysis - 2 - -

4 - Create strategy - 1 -

5 - Emergency response - - - -

6 - Plan creation - - - -

7 - Training and awareness - - 1 -

8 - Maintenance and testing - - 2 -

9 - Communications 1 - 1 -

10 - Integrate with third-parties - 1 - -

Total 1 5 4 -

There was one finding rated as High and related to voice and data requirements that support key business activities are not defined. This is a particularly significant oversight, given that ICO deals with telephone calls and enquiries from the public.




3

The following findings were rated as Medium priority:

• ICO has not formally approved an assessment of the current threats that face the organisation in order to focus recovery plans on appropriate areas and activities.

• Mission critical activities need to be agreed and approved by Executive Team. In addition, the maximum tolerable period of disruption for each activity has yet to be established.

• No temporary alternative accommodation arrangements are in place now that the ICO has moved onto a single site;

• The service level agreement (SLA) with the current IT supplier does not match the requirements of the current BCP;

• No plan is in place for the loss of GSI connection

Further details of our findings and recommendations are provided in Section 2.

1.5 Basis of our audit conclusion

There is a Business Continuity Plan in place which has been updated as a result of the consolidation of ICO's head office into one building (Wycliffe House). The ICO has gone some way to identifying its mission critical activities, although these still need to be reviewed from an overall organisational perspective. Desktop exercises are carried out in order to test the BCP, and IT disaster recovery tests are also undertaken. The ICO's SLA with its IT supplier (Capita) includes business continuity arrangements which were put in place before the current BCP was developed, and these do not match the current business requirements.

1.6 Elsewhere in the sector / Points of interest

As part of our work we seek to share examples of common practice we have seen at other clients or have identified in the wider sector market-place, which we think might be of relevance to the subject of this review, for your information and consideration:

• We ran a workshop for the senior management of a public sector body to establish their mission critical activities. The outcome was a greatly simplified plan which also reduced implementation costs.

• We have found in other organisations that more resilience is being designed and implemented into the IT infrastructure, to reduce the likelihood and impact of disruption to the organisation following a disaster or incident.

Some other common issues we have noted elsewhere are:

• A lack of a formal agreement between IT and other areas of an organisation leads to recovery priorities being determined by IT, which may not necessarily reflect the needs of the organisation.

• A client in the energy sector used an outsourced provider for its IT provision, but business continuity arrangements were not included in the contracts. This led to assumptions about the service provision that exceeded the contractual obligations of the supplier.

• A common issue is the lack of ownership of the BCP process, which allows plans to become out of date and over time become not fit for purpose.

• Following the creation of a BCP, ownership and momentum needs to be retained in order maintain the plan in line with changes within the organisation or its environment and to ensure on-going awareness is sustained.

1.7 Acknowledgement

We would like to take this opportunity to thank the staff involved in for their co-operation during this internal audit.




4

2.1 Risk analysis

1. Medium Formal risk assessment

Finding and Implication Proposed action Agreed action (Date / Ownership)

As part of the business continuity planning process, (see for a process overview at Appendix C), it is good practice for an organisation to identify its key services and processes and to create a list of all known or anticipated threats that face them. These threats should include natural and man-made events. After Identifying its threats, an organisation should risk assess these and focus on threats of highest priority. Priority is determined by likelihood or frequency and the consequence of the threat occurring.

The ICO's Mission Critical Activities (MCAs) have been documented within the Business Continuity Plan (BCP).However, the formal risk assessment was carried out in 2005, and therefore, the vulnerabilities of critical resources and risks they face may be out of date and may not been properly identified or assessed.

There is a risk to the ICO that some threats may not have been considered or may have been prioritised incorrectly, leading to a plan that may not be effective.

a) ICO should re-evaluate the threats that could disrupt the organisation’s key services and identify the critical activities, assets and resources that support them.

b) ICO should re-evaluate the organisation’s objectives, stakeholder obligations and statutory duties, and identify those activities, assets and resources including those outside the organisation, that support the delivery of these key services.

c) ICO should assess the impact and consequences over time of the failure of these activities, assets and resources (See Business impact analysis below)

When the ICO business continuity plan was developed in 2005 a risk analysis was carried out. The presentation and subsequent risk table can be found in Meridio. However the ICO acknowledges that the current arrangements for Business Continuity need updating We will set up a small group, led by Simon Entwisle, to put a proposal for how that review should be carried out to ET by 31 December 2011. The review will involve IT and Internal Compliance. It will take account of the business continuity elements of the work already being undertaken in relation to ICO’s commitment to ISO27002 Information Security code of practice. The current plan was developed by looking at corporate MCAs. It then breaks down ICO responses into departments. The plan’s incident management processes have been invoked and successfully applied.

Date Effective: Review to be completed by 30 April 2012

Owner: Simon Entwisle

2 Detailed Findings




5

2.2 Business impact analysis

2. Medium Mission critical activities


An important part of any business continuity plan is the business impact analysis (BIA). Good practice is for organisations to determine and document the impact of a disruption to the activities that support its key processes.

Mission Critical Activities (MCAs) have been identified within the BCP by individual departments, with each setting out what they consider to be their MCAs. The MCAs were revisited in 2011 to establish the corporate level mission critical activities essential to the survival or continuity of ICO. However, these have not be been approved by Executive Team.

There is a risk that the MCAs within the BCP may be incorrect leading to misallocation of resources and recovery effort in the event of a disaster. Consideration needs to be given to deciding on which activities are truly mission critical for the ICO as a whole, as well as any interdependencies that may exist between them. For instance, Internal Compliance may not be a critical activity for the ICO and may delay the re-establishing of that function.

a) Linked to the recommendation above, the Executive Team (ET) should re-evaluate the organisation's mission critical activities based on ICO's objectives, stakeholder obligations and statutory duties and confirm that the activities identified are mission critical.

b) For each activity supporting the delivery of key services, ICO should assess the impacts that would occur if the activity was disrupted, and then establish the maximum tolerable period of disruption for each activity.

c) ICO should also identify any inter-dependent activities, assets, supporting infrastructure or resources that will be required in order to maintain mission critical activities.

The MCA’s were originally identified following a BIA. The BIA summary can be found on Meridio along with other documentation about the BIA. However, it is accepted that the MCA’s may require updating. A brief review of the MCA’s was carried out as part of the BCP text in April 2011 which identified a number of over-arching MCA’s and accepted that further work may be required. Further review of the MCA to be undertaken as part of the overall review.






6

3. Medium IT supplier SLA


As part of defining business continuity requirements, arrangements need to be agreed with suppliers in order for equipment, resources and services to be available when they are needed, based on the BIA (see 2 above).

The current SLA with Capita (ICO's outsourced IT supplier) has systems, services and application recovery times defined. However we understand these were established before the current BCP was written, and in some cases the expected recovery times differ from those outlined in the BCP, for example:

REPORT NET (MIS) - 10 days (3 days in BCP) KOFAX (Scanning) - 10 days (3 days in BCP) CIPHR (HR system) - 3 days (absent from BCP )

There is a risk that Capita may not recover systems in the timeframe currently required by the ICO.

a) Following the BIA (above), once maximum tolerable periods of disruptions to activities have been assessed, the systems and applications that support these need to be documented within the BCP.

b) Timeframes for recovery of the systems then need to be agreed with Capita to ensure that they will be able to recover these systems in the required timeframe. This may result in additional costs due to the recovery not being built into the current contract.

c) The SLA then needs to be amended to reflect the recovery requirements which are in line with the revised BCP.

Agreed. Using the output from the BIA the priorities for recovery of systems will be revised within the IT DR schedule.

Based on the most recent IT DR test (Jul 2011) it is expected that all systems will be restored in between 2-3 days. This timeframe will be used in the review of the BIA. Should either the time to recover or the number of users able to use the systems change then the existing DR provision will need to be revisited and may result in increased costs, although it may be the case that the current DR is over provisioned.

Date Effective: July 2012

Owner: Head of IT




7

2.3 Create strategy

4. Medium Alternative accommodation


When creating a business continuity strategy, there needs to be consideration of people, premises and technology that fulfil the achievement of mission critical activities. For the MCAs, the minimum levels of staff needed to fulfil these requirements and the subsequent accommodation requirements have not been defined.

Should Wycliffe House be lost or become unavailable, there is only a verbal agreement with the landlord (Emerson) that alternative accommodation in the area will be provided, if available.

There is an IT disaster recovery site, (provided by Sunguard, a specialist IT recovery services provider), with ten desks and workstations. However this facility is only available for four weeks and its primary function is to allow the recovery of the IT infrastructure.

The ICO has in the order of 30 laptops which could be re-deployed and thereby reduce the need to replace desktop equipment. However, a procedure for this is not included in the BCP.

There is a risk that without the minimum staffing requirements being defined and alternative accommodation being available, the ICO will fail to deliver its MCAs in the event of a disaster.

a) ICO should determine the minimum staffing requirements in order to carry out its key objectives both in the initial recovery phase and throughout the recovery process.

b) Once these minimum requirements have been established an alternative accommodation strategy needs to be developed. This could be achieved through re-allocation of Regional Office space, arrangements for accommodation within other government departments (often through a reciprocal arrangement) or a formal agreement with the current (or possibly other) landlord for alternative accommodation.

c) ICO should determine whether a strategy of re-deploying laptops is appropriate, and/or make alternative provisions for the use of critical staff.

The ICO is happy with the current arrangements however as part of the review group will undertake more work to formalise our approach and build in a review period for our arrangement with Emerson to ensure that it remains feasible in the event of economic climate change.

The group will also be asked to consider the option to arrange a reciprocal arrangement with other organisations. It is agreed that the BCP could build in more detail about meeting space available to rent.






8

2.4 Training and awareness

5. Low Staff Training


Training programmes need to be implemented to educate staff about the BCP, the scope of the plan and the procedures they will be expected to follow.

Although some staff from the Operations Directorate has attended government seminars on business continuity and disaster recovery, there has been no other training for management or staff. Business continuity does not have a high profile within ICO as some policy areas. Other more high profile areas of policy such as Equality and Diversity are also accompanied by compulsory training.

There is a risk that without on-going training in support of policies and procedures that staff will be unaware of what to do in the event of a disaster.

Raising the profile of business continuity and disaster recovery within ICO can only be achieved through management endorsement and awareness training.

a) ICO should develop a training or awareness programme in order to educate staff about business continuity and their responsibilities.

b) Any training programme should be supported by senior management to ensure staff have sufficient time and materials for the process to be effective.

Training and awareness can take many forms including, seminars, workshops, video presentations, individual training sessions and e-learning.

The ICO is on the MoJ BC forum distribution list and carries out an annual test of the BCP to help to raise awareness at a senior level. There may be a decision to be made at ET level as to the extent the ICO wants to train staff on BC. It is proposed that the BC group would establish BC ‘champions’ that could raise awareness/provide training at directorate level.

Date Effective: Date Effective: Review to be completed by 30 April 2012





9

2.5 Maintenance and testing

6. Low IT disaster recovery tests


A key area that ensures successful execution of a business continuity plan is thorough testing. Tests are designed to record lessons learnt and the likely recovery time. Once established, an organisation should review the outcome of the test to confirm that it meets their requirements. If this is not the case, the strategy or recovery processes should be amended.

A desktop test of the BCP was carried out in April 2011 and its findings documented. A separate ITDR test was carried out in July 2011 over two days. However, two days was insufficient time to recover four systems (CMEH, Merido, Exchange and DUIS) and the test was not extended beyond the two days. All these systems had a stated requirement for recovery within 3 days in the BCP, however it is not known if these can be recovered on time due to the recovery not being completed within the two-day test window.

There is a risk that due to the time limitations on testing, ICO cannot be certain that these systems can be recovered within the required timeframe.

a) ICO, with Capita, should repeat the ITDR test to allow full recovery to take place for each system. The actual time taken to recover each system should be recorded, reviewed against the strategy and any corrective action taken to achieve recovery objectives or amend the strategy.

The July 2011 DR test did not restore all systems completely. However, during the test the question of whether to allow all restores to continue for a full restore was discussed. It was agreed that the test had demonstrated that applications were being restored and that these were operable. Sufficient data had been obtained to be able to project the length of time the restore of each application would take. On this basis the DR test was stopped. A subsequent review deemed the test to have been successful.

The lessons learned form the DR test identified several bottlenecks which have been addressed.

No repeat of the DR test is considered necessary. The next one will be summer 2012.

Date Effective: This action be closed

Owner: Head of IT




10

7. Low Backup tests


Organisations should have backup arrangements in place based on the importance of systems and related data, and the frequency of data changes. For effective system recovery, the most recent backups should be stored offsite, in line with good practice. Regular tests of backups should be undertaken to ensure their reliability. In addition, there should be periodic tests of full system recovery.

Data backups for all systems and data are taken on a daily basis and 2 copies are produced. One is retained on-site and one tape is sent off-site for storage at Iron Mountain, where a rolling 2 months of data is retained.

There is some ad-hoc recovery of single files and folders to satisfy requests from users. However, there is currently no formal test plan in place. The Capita SLA states that a test must be carried out every three months to demonstrate that data and information can be successfully recovered from backups but this however has not been done since changes were made to the IT infrastructure in early 2010.

The Senior IT Service Manager stated that the intention was to implement a rolling recovery programme to ensure each server would be tested once within a 12-month period. At the time of the review, the rolling programme was not in place and it was uncertain when it would be.

There is a risk that without testing of backups that the ICO may be vulnerable to data loss in the event of a disaster or hardware failure, as recovery may not be possible.

Management should implement a schedule of recovery tests to provide assurance that systems and data could be recovered in the event of a disaster.

This is a very minor point. The audit notes that there are ad-hoc request to restore files for users, this happens every 2-3 months. A check has been added to the monthly IT schedule: It is to review when the last restore was made and request one if no restore has been made for three months.

Date Effective: Added to IT calendar- Action complete

Owner: Head of IT




11

2.6 Communications

8. High Telecommunications


When creating a business continuity strategy, consideration of the communication requirements (for voice and data) need to be established to fulfil the restoration of mission critical activities. The ICO deals with calls and enquiries from the public and we would expect that telecommunications would feature within the business continuity arrangements.

Telecommunications are not included in the BCP or ITDR plan and therefore the time it would take to recover voice and data networks has not been established. There are ten phones at the ITDR site although this site is primarily designed for IT use when recovering IT systems. Some staff have ICO mobile phones which could be utilised during an incident. However, no formal plans are in place to confirm the number of telephones required or the data communication requirements in the event that the ICO office was to be unavailable.

There is a risk that the ICO would not be able to take telephone enquiries from the public, colleagues or its suppliers in the event of a disaster.

a) As part of the BIA and strategy creation, telecommunication requirements to support the MCAs should be defined and contingency arrangements are put in place.

b) Emergency telecommunications should also be factored in to future business continuity tests.

Agree – telephone requirements to be included in BIA.

The existing arrangement is to transfer the Main 0300 and Press Office number through BT. The Press office number is redirected every time work is undertaken on the phone system. The main 0300 number will be tested as a part of the next IT DR test

Date Effective: September 2012

Owner: Head of IT




12

9. Low Communications planning


Controlling communications tithe public and stakeholders is essential to managing any crisis. Contact details of relevant stakeholders and suppliers are contained within the BCP and there is a cascade system for communication to staff. However, whilst messages that need to be sent to different audiences have been drafted (public as well as friends and family) best practice would be to have all key messages relating to different incident and target audiences in place.

Internal and external messages need to be properly vetted by management in order to ensure that the correct message is sent to the appropriate recipients, The two messages that current exist relate to public messages via website or e-mails, and a statement for friends and family.

The messages contained within the BCP are as follows:

"Due to a fire / explosion / incident at the offices of the ICO in xxx, we may be unable to respond to any new queries or ongoing cases within our usual timescales. We can assure you that all members of staff are safe and that no-one has been injured). (At this time we have no reports of any injuries to visitors or staff). The management of the incident is being handled by the emergency services / our own staff who are working to a well developed and practised plan. There will be a further statement as soon as more information is available." and

"At present we have no information regarding xxxx. As soon as he / she arrives at xxxx hospital where all patients and staff from offices are being treated, I will ensure that you are informed. Please can you let me have your name and a telephone number where you can be reached."

There is a risk that poor communication during a disaster scenario may lead to reputational damage to the organisation through conflicting messages to the press and public or staff may not be clear what is expected of them.

The existing messages need to be further developed so they can be used for most scenarios. Messages need to be for specific audiences and may need to be drafted for different mediums (e-mail out of office message, voicemail as well press statements and responses to enquiries).

The ICO will review the current messages.

Due Date April 2012





13

2.7 Integrate with third parties

10. Medium GSI connection


IT is good practice for business continuity plans to include any dependencies on third-parties organisations such as suppliers of IT or alternative facilities and other government departments.

The disaster recovery site (Sunguard) is available to ICO for four weeks following a disaster at Wycliffe House in order to re-establish IT systems. Should the GSI connection to Wycliffe House be lost, a new GSI connection would take longer than four weeks to be reinstated at a different location. There is currently no contingency within the plan for alternative GSI connection.

a) ICO should discuss with Capita and Energis (GSI contactor) to determine the actual timeframe for re-establishment of a GSI connection should connectivity to Wycliffe House be lost. This needs to be reflected within the revised BCP.

b) Contingency arrangements should be developed for accessing GSI resources during an outage whether this be via regional offices or other government departments.

The GSi contract has SLAs that apply across all government customers – these will be added to the BCP

The BIA will establish whether contingency access to GSi is required. Further investigation will be undertaken on how a non GSi connection would be used for email and what the security restrictions would be.

Date Effective: April 2012

Owner: Head of IT




14

Approach

Our audit was carried out in accordance with the guidance contained within the Government’s Internal Audit Standards and the Auditing Practices Board’s ‘Guidance for Internal Auditors’. We also had regard to the Institute of Internal Auditors’ guidance on risk based internal auditing (2005).

Our internal audit approach is based upon the underlying principles of the Combined Code on Corporate Governance together with the associated Turnbull Committee guidelines on internal control (2005) that require management to identify, assess and manage the risks that are significant to the achievement of the organisation’s overall business objectives. We will also have regard to the HM Treasury Management of Risk Guidance (2001). Our role as internal auditor is to provide objective and independent assurance to the Audit Committee and management that it is doing so successfully for each of the areas being audited. Our aim in completing this audit was to ensure that ICO has appropriate arrangements in place to identify, manage and report on risk.

We will achieved our audit objectives by:

• meeting with key staff to gain an understanding of the arrangements in place, building upon the information we had already gained through our audit planning process;

• identifying the key risks, management controls to mitigate the risks and evaluating the effectiveness of the controls identified; and

• reviewing key documents in support the above processes.

The findings and conclusions from this review will support our annual opinion to the Audit Committee on the adequacy and effectiveness of internal control arrangements.

Responsibilities It is the responsibility of management to ensure that there are adequate controls and activities in place to ensure that the ICO's business objectives can be met and that the risks to the ICO are minimised. Based on the work we have carried out, we provide an objective assessment of the adequacy and effectiveness of controls and activities established by management to manage the identified risks to the ICO.

During the course of our review we have conducted interviews and, where necessary, testing/verification work to support our assessment of the adequacy and effectiveness of current arrangements.

It is our reporting protocol to balance our reporting of positive practice with areas for attention. This enables the ICO to build upon its strengths, whilst focusing upon key findings and associated recommendations, which if acted upon, should enhance the control environment and improve the management of key risks.

This report is part of a continuing dialogue between the ICO and ourselves. For this reason, we do not consider it appropriate for the report to be made available to third parties. Nor do we accept responsibility for any reliance that third parties may place upon the report.

A Internal audit approach




15

Please refer to our letter of engagement for full details of responsibilities and other terms and conditions.

Scope

Our review considered the following areas/sub risks:

• Business continuity plans (BCP) may not accurately reflect the current nature and structure of the organisation resulting in a failure to maintain business operations in the event of a disaster;

• Risk assessment and impact analysis may be insufficient leading to a plan which is not fit for purpose;

• Communication, awareness and training may be insufficient, leading to failure to implement the plan in the event of a disaster; and

• IT disaster recovery plans may not be embedded in the overall business continuity plan leading to IT systems not able to support the resumption of operations.

Additional information

Client staff

The following staff were consulted as part of this review:

• Emma Dean, Senior Operations Support Manager • Paul Arnold, Head of Customer Contact • John Rackstraw, Senior IT Service Manager

Documents received

The following documents were received during the course of this audit:

• Business Continuity Plan (v2.3 July 2011) • Organisation Chart • ICO Business Continuity Plan Test and Review Results (07 April 2011)

• Capita ITS - ICO Disaster Recovery Post Test Report (26 August 2011)

• ICO Retention Schedule (information asset list) • Capita SLA extract - Business Continuity Service • Capita SLA extract - Data Backup, Data Retrieval and Data Retention Policy

• Capita SLA extract - Penalties • Iron Mountain information (extract from http://ironmountain.co.uk)

Locations

The following locations were visited during the course of this review:

• Wycliffe House (Head Office), Wilmslow




16

Internal audit opinion

Design effectiveness Opinion Operating effectiveness Rating

We have not been able to form an opinion on whether the internal controls examined have been designed to achieve the risk management objectives required by management

No opinion can be given

We have not been able to form an opinion on whether the internal controls examined were operating to provide reasonable assurance that the related risk management objectives were achieved during the period under review

No opinion can be given

Overall, we have concluded that, in the areas examined, the risk management activities and controls are suitably designed to achieve the risk management objectives required by management

Green Those activities and controls were operating with sufficient effectiveness to provide reasonable assurance that the related risk management objectives were achieved during the period under review

Green

Overall, we have concluded that, except for the specific weaknesses identified by our audit, in the areas examined, the risk management activities and controls are suitably designed to achieve the risk management objectives required by management.

Amber

Except for the controls listed below those activities and controls that we examined were operating with sufficient effectiveness to provide reasonable assurance that the related risk management objectives were achieved during the period under review.

Amber

Overall, we have concluded that, in the areas examined, the risk management activities and controls are not suitably designed to achieve the risk management objectives required by management.

Red Those activities and controls that we examined were not operating with sufficient effectiveness to provide reasonable assurance that the related risk management objectives were achieved during the period under review

Red

Audit issue rating

Within each report, every audit issue is given a rating. The ratings are summarised in the table below.

Rating Description Features

High

Findings that are fundamental to the management of risk in the business area, representing a weakness in control that requires the immediate attention of management

• Key control not designed or operating effectively • Potential for fraud identified • Non compliance with key procedures / standards • Non compliance with regulation

Medium Important findings that are to be resolved by line management.

• Impact is contained within the department and compensating controls would detect errors • Possibility for fraud exists • Control failures identified but not in key controls • Non compliance with procedures / standards (but not resulting in key control failure)

Low Findings that identify non-compliance with established procedures.

• Minor control weakness • Minor non compliance with procedures / standards

Improvement Items requiring no action but which may be of interest to management or best practice advice

• Information for department management • Control operating but not necessarily in accordance with best practice

B Definition of internal audit ratings




17

C Business continuity planning process based on accepted best practice

1. Initiation

2. Risk analysis

4. Create strategy

5. Emergency response

6. Plan creation

7. Training and awareness

8. Maintain and test

9. Communications

10. Integrate with third parties

3. Business impact analysis

Get a sponsor, authority, scope and funding

Document and prioritize current risks.

(These include natural and man made disasters and scenarios)

Develop a low level business process blueprint; determine what is needed to sustain the

business (both in the recovery phase and ongoing)

Using the risk analysis and business impact analysis, formulate a possible strategy based

on facts and assumptions in evidence (This can have a number of courses of action

dependent on the scenario)

Integrate the planned strategy with emergency response procedures. Set activation criteria

for when to invoke the plan

Create and organise the plan including personnel assignment and detailed procedures

Teach individuals the skills to perform there role in the BC/DR plan. Educate the

organisation about the plan and what to do

People must practice their roles to gain proficiency. Test to ensure the plan is fit for purpose

and up to date using structured exercises to identify deficiencies.

Public, employees, stakeholders. Planned communications in advance, poor

communication can be more damaging than the disaster. Plans include an uninterruptible

communication system

Integration with suppliers clients, emergency services and other government departments

Natural threats

Man made threats

Prior warnings

No warnings

Current processes

Critical success

factors

Key performance

indicators

Timeline

Milestones

Methods

Incident commander

Emergency operations

centre

Organise and

structure plan

Assign teams, roles,

responsibilities.

Catalogue procedures

Leadership

Skills

Specific processes

Desktop

Modular

Functional

Parallel

Full

Internal: Teams,

stakeholders,

unaffected units

External:public

Government

Business partners




18

D Business continuity planning cycle based on accepted best practice

www.grant-thornton.co.uk

© 2011 Grant Thornton UK LLP. All rights reserved.

"Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership.

Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.

This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication.